NFTs or non-fungible tokens are becoming the space that everyone is trying to enter. Recently, Meta also announced that it is planning to add NFTs to Instagram. Until now, OpenSea is the world’s largest NFT marketplace, and in February 2022, it fell prey to phishing, resulting in panic among users. The hackers stole $1.7 million worth of NFTs from 17 users. Here’s everything that you need to know about the attack and what is OpenSea doing about it.
Hackers took $1.7 million in NFTs from OpenSea
The attack that happened on 20th February 2022, was confirmed by Mr. Devin Finzer, co-founder and CEO of OpenSea. There were rumors going around that the hacker apparently stole $200 million worth of NFT but the CEO also clarified that they were false and the hacker may have had $1.7 million of ETH from selling this stolen NFT. It was also previously assumed that 32 users were affected by the attack. It was reported that 254 tokens were stolen. PeckShield, a blockchain security service compiled a spreadsheet of the stolen tokens that included, Bored Ape Yacht Club and Mutant Ape Yacht Club.
After the incident, the company tweeted, “We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website.” The CEO also insisted that affected NFT owners message him directly on Twitter.
When and how did the attack happen?
The phishing attack that took place happened when the platform gave its users short notice to migrate NFTs from Ethereum to a new smart contract. This was seen as an opportunity and many users claimed to receive an email from OpenSea which said that if users click on the link, it will enable them to migrate to the new contact system. Instead, users unknowingly gave the hackers access to their assets by clicking on that link. Explaining it simply, the attack took place in two stages; First, the victim signed a blank check, and second, the attackers filled in the details to take the ownership of victims’ assets.
the attack took place in two stages; First, the victim signed a blank check, and second, the attackers filled in the details to take the ownership of victims’ assets.
Although it happened when the company was updating its contract system, the company has denied that it was originated from there. A flaw in the broader platform would be exploited to a greater scale and since the number of people targetted was less, the attack’s origin from the system is unlikely.
The effects of this attack
This attack had identified only 17 users who got affected but there were still some users who are unsure if they were a victim of this attack or not. Several users even tweeted about the same and many other users complained that OpenSea’s support team was not responsive enough to help in the situation. The company later tweeted that it is investigating the origin of this attack and trying to work out the exact details of it.
The company also made users aware of fake OpenSea support accounts on Twitter and notified them that the company’s support account is now verified. After 15 hours of the attack, the company tweeted that the attack doesn’t seem to be live anymore since there has been no malicious activity for some time now.
A couple of days following this attack, it was reported that the trading of NFTs witnessed a price dip. Its seven-day trading volume was down by 37% and there was a 19% dip in the number of traders on OpenSea.
After around a month of this attack, OpenSea is now facing three lawsuits by users who were affected by this incident. A man from Texas is suing the platform because of its security vulnerabilities and has asked for $1 million in damages. Timothy McKimmy’s Bored Ape #3475 token was stolen around 7th February 2022. The NFT was listed on OpenSea for 130 Ether or around $338,000 and was later sold at .01 Ether. The man has also alleged that the platform knew about its security issues but did not take proper steps or actions to inform the users about it. The same lawyer has filed a similar $1 million lawsuit for Mr. Michael Vasile and finally, a third lawsuit has been filed in the U.S. District Court for the District of Nevada. All these cases are related to the stolen Bored Ape Yacht Club tokens.
The CTO of OpenSea, Nadav Hollander addressed that this attack has highlighted the need to raise awareness about the security issues surrounding off-chain signatures among NFT traders. But this hack has certainly brought the need for increased security for NFTs to the light.
This is not the first time OpenSea was hit by criminals
In January, hackers identified a flaw in the platform’s code which enabled them to buy NFTs for less than the market value. The affected users were reimbursed $1.8 million by OpenSea. Users certainly have to look into the safety measures that they can implement from their side to avoid getting stuck in such situations.
Also, with the lawsuits piling up on OpenSea’s desk, this could be the beginning of a huge problem for the company. They have the potential to result in a big problem for the company. The NFT world is still vulnerable to money laundering and other such frauds.
These lawsuits will certainly put some pressure on the company to improve their security and handle their customer issues better. Although there are several threads that explain the technicalities of the attack, and complaints of users that the platform has not been responsive enough about their doubts, it is still unclear as to what will happen to the affected. According to previous actions taken by the company, it may or may not compensate for the losses faced by the users.
The key takeaway from the whole situation remains that NFT marketplaces should focus on a way that increases the security of these platforms. This way users can feel more secure while transacting.